|
| 1 | +--- |
| 2 | +title: 'Create workbooks for Microsoft Sentinel solutions' |
| 3 | +description: This article guides you through the process of creating and publishing workbooks to Microsoft Sentinel solutions. |
| 4 | +author: anilgodavarthy |
| 5 | +ms.author: angodavarthy |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 1/22/2025 |
| 9 | + |
| 10 | +#CustomerIntent: As a ISV partner, I want to create and publish workbooks to my Microsoft Sentinel solution so that I can provide insights to my customers. |
| 11 | +--- |
| 12 | + |
| 13 | +# Creating and publishing workbooks for Microsoft Sentinel solutions |
| 14 | + |
| 15 | +Microsoft Sentinel Workbooks are an integral feature of Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution. These workbooks are designed to provide users with interactive, customizable dashboards that aggregate and visualize data from various sources, enabling organizations to gain deeper insights into their security posture and streamline their threat detection and response efforts. By integrating data from various sources and facilitating collaboration among security teams, Microsoft Sentinel Workbooks play a pivotal role in strengthening an organization's overall security posture. |
| 16 | + |
| 17 | +This article walks you through the process of creating and publishing workbooks to Microsoft Sentinel solutions. |
| 18 | + |
| 19 | +## Use Cases for Microsoft Sentinel Workbooks |
| 20 | +In a Security Operations Center (SOC), Microsoft Sentinel Workbooks are used to monitor and analyze security events in real-time. SOC analysts can create workbooks that display key performance indicators (KPIs) such as incident response times, alert volumes, and threat detection rates. By having a centralized view of security metrics, SOC teams can optimize their workflows and improve incident management processes. |
| 21 | + |
| 22 | +- **Security Operations Center (SOC) Monitoring:** In a Security Operations Center (SOC), Microsoft Sentinel Workbooks are used to monitor and analyze security events in real-time. SOC analysts can create workbooks that display key performance indicators (KPIs) such as incident response times, alert volumes, and threat detection rates. By having a centralized view of security metrics, SOC teams can optimize their workflows and improve incident management processes. |
| 23 | +- **Compliance and Audit Reporting:** Organizations need to adhere to various regulatory standards and audit requirements. Microsoft Sentinel Workbooks help generating compliance reports by visualizing data related to security controls, user activities, and policy enforcement. These reports can be customized to align with specific regulatory frameworks, making it easier for organizations to demonstrate compliance during audits. |
| 24 | +- **Threat Hunting:** Threat hunting involves proactively searching for signs of malicious activity within an organization's environment. Microsoft Sentinel Workbooks aid threat hunters by providing visual representations of anomalous behaviors, attack patterns, and indicators of compromise (IOCs). Hunters can use these insights to uncover hidden threats, investigate suspicious activities, and take preventive actions before incidents escalate. |
| 25 | + |
| 26 | +## Creating and publishing workbooks |
| 27 | + |
| 28 | +### Step 1: Create your workbook using Microsoft Sentinel Workbooks UI |
| 29 | +1. Navigate to the Azure portal and select Microsoft Sentinel from the list of available services. |
| 30 | +1. Ensure you have a designated workspace for your Microsoft Sentinel instance. You can either create a new workspace or select an existing one. |
| 31 | +1. In the Microsoft Sentinel workspace, select on the **Workbooks** tab to access the Workbooks UI. |
| 32 | +1. You can either start with a prebuilt template or create a workbook from scratch: |
| 33 | + 1. *Template:* Browse through the available templates and select one that matches your needs. Templates provide a quick way to get started with commonly used visualizations and metrics. |
| 34 | + 1. *From Scratch:* To create a workbook from scratch, select on the "+ New" button. Clicking on the new button opens a blank workbook where you can add your custom queries and visualizations. |
| 35 | +1. Workbooks aggregate data from various sources. Use the 'Add query' option to bring in data from connected data sources. You can write custom Kusto Query Language (KQL) queries to fetch and filter the data you need. |
| 36 | +1. Once you have your data, you can add and customize visualizations to represent it effectively. Microsoft Sentinel offers various visualization options, including charts, tables, and graphs. Adjust the settings to match your specific requirements. |
| 37 | +1. After designing your workbook, save it to your workspace. |
| 38 | + |
| 39 | +### Step 2: Get the workbook gallery template |
| 40 | + |
| 41 | +1. Navigate to your workbook, select on edit and then advanced editor. |
| 42 | +1. Select the **Gallery Template** tab. |
| 43 | + |
| 44 | +:::image type="content" source="media/sentinel-workbook-creation/sentinel-workbook-edit-mode.png" alt-text="Screenshot showing the edit mode of workbooks in Microsoft Sentinel." lightbox="media/sentinel-workbook-creation/sentinel-workbook-edit-mode.png"::: |
| 45 | + |
| 46 | +1. Copy the gallery template and save it as JSON file on your machine. |
| 47 | +1. Add the below properties to your gallery template. These properties allow us to identify the specific Microsoft Sentinel workbook that was opened. Use the format `sentinel-"workbookName"` for consistency. |
| 48 | + |
| 49 | +```json |
| 50 | + "styleSettings": {}, |
| 51 | + "fromTemplateId": "sentinel-MyNewWorkbook", |
| 52 | + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" |
| 53 | +``` |
| 54 | + 3. Save the JSON file and upload it to the **Workbooks** folder under your solution repository in GitHub. If the Workbooks folder doesn't exist, create it. |
| 55 | + 1. Capture two screenshots of your workbook - one each in dark and light themes. The images are used as preview images for your workbook. Be consistent with the filename conventions - the dark theme filename should contain the word "black" and the light theme image should contain the word "white." Upload these images to https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks/Images/Preview |
| 56 | + 1. You can optionally add a logo that would be displayed in the Workbook. Upload the logo to https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks/Images/Logos folder in GitHub. The logo should be in SVG format. If a logo isn't provided, the default Microsoft Sentinel logo is displayed. |
| 57 | + 1. Add this section for your workbook in the https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json file. This file contains metadata for all the workbooks in the Microsoft Sentinel gallery. For more details, you can look at the existing entries in the file. |
| 58 | + |
| 59 | +```json |
| 60 | +{ |
| 61 | + "workbookKey": "YourWorkbookKey", // in the format of "<Name>Workbook". Ensure that the key is unique across all workbooks |
| 62 | + |
| 63 | + "logoFileName": "",// If you have a logo, provide the filename here |
| 64 | + |
| 65 | + "description": "description of the workbook.", // Will be displayed on the workbooks blade next to the logo and preview images |
| 66 | + |
| 67 | + "dataTypesDependencies": [ "Datatype" ],//The data type(s) that your workbook queries |
| 68 | + |
| 69 | + "dataConnectorsDependencies": [],//Relevant connectors |
| 70 | + |
| 71 | + "previewImagesFileNames": [ ],//The relative path of the preview images you saved under workbooks/images/previews |
| 72 | + |
| 73 | + "version": "1.0", // if this is a new workbook - this should be "1.0" |
| 74 | + |
| 75 | + "title": "Workbook title",//This should be the name of the workbook which will be displayed in the main workbooks blade - for example "Palo Alto overview" |
| 76 | + |
| 77 | + "templateRelativePath": "MyNewWorkbook.json",//The relative path of the JSON of the template (the gallery template you saved) |
| 78 | + |
| 79 | + "subtitle": "", |
| 80 | + |
| 81 | + "provider": "Your company name" //Name of the company/author who owns the workbook and is responsible for providing support |
| 82 | + } |
| 83 | +``` |
| 84 | +## Related content |
| 85 | + |
| 86 | +[Publish Microsoft Sentinel solutions](/azure/sentinel/publish-sentinel-solutions) |
0 commit comments